Trusted Network Connect (TNC)

Summary

This feature provides Trusted Network Connect(TNC) framework that can be used to assess and verify end clients' system state (such as network ports/firewall status or legitimate binaries) and its compliance to a predefined policy with existing network access control (NAC) solutions.

Owner

Current status

Currently this work requires a patch in freeradius for enabling EAP-TNC. The patch is attached in this rh bz https://bugzilla.redhat.com/show_bug.cgi?id=712903 . freeradius upstream has already committed the TNC part of the patch and the upstream commit is here:

I am still working with freeradius upstream to merge the ttls part. As soon as the upstream merges the whole patch, the patch will be built in fedora, and I will provide concrete testing instructions for anybody to test, and update the status here.

Meanwhile, I have added a new package to fedora which is strongswan-tnc-imcvs that provides PTS functionality for this feature. The link for this package is here:

Detailed Description

Traditionally network access control (NAC) has lacked the ability in its decision making to assess endpoint's security posture and its compliance to enterprise policies. (For example, a network might want to grant only limited access to clients that have exploitable browser plugins installed.) This lack of assessment may leave an enterprise's network vulnerable to malicious attacks. Trusted Computing Group (TCG) (and IETF too) has defined an open architecture called Trusted network connect (TNC) (IETF's Network Endpoint Assessment (NEA)) to fill this gap. TNC, as part of its architectural components, includes integrity measurement collectors (IMCs) and TNC client at endpoint and integrity measurement verifiers (IMVs) and TNC server at enterprise network side communicating over NAC solutions such as EAP with 802.1X to evaluate and verify the security posture of the endpoint against the enterprise policies before allowing network access. For this, TCG has released transport (IF-T), session (IF-TNCCS) and messaging (IF-M) standards which are open and interoperable. TNC architecture by virtue of it's IF-M protocol can leverage NIST's SCAP's (OpenSCAP) automated security aspects for measurement collection, verification and remediation. In addition, TCG has defined IF-PTS and PTS protocol specifications to integrate platform trust services (PTS) with TNC for TPM based attestation of integrity measurements. PTS protocol defines messaging payloads to be used over IF-M protocol.

This feature includes the aforementioned functionalities and aims to provide an end-to-end network based client assessment, verification and remediation.

Benefit to Fedora

System and network administrators using fedora can now utilize the potential of open and interoperable TNC protocols over existing NAC solutions. It helps them reduce the possibility of allowing a vulnerable client accessing their network.

User Experience

Users should be able to see if their system is in compliance to their network's predfined policy and are able to gain access to the network. If their system is not compliant, they should remediate it before trying to access the network again.

Dependencies

This feature requires EAP-TNC support with wpa_supplicant and freeradius.

Contingency Plan

Although, this feature works on top of wpa_supplicant and can be used with NM, this does not require any changes in wpa_supplicant currently, so wont impact any existing functionality, and other packages part of this feature are stand alone in themselves. In summary, this feature does not change any part of the current networking stack, so won't break any existing networking functionality. If a user does not use this feature, there is no impact on other functionalities.

Release Notes

Fedora 19 offers support for Trusted Network Connect protocols to be used with 802.1X framework. OpenSCAP based client (IMC) and server (IMV) plugins are provided to leverage SCAP based measurements collection, verification, and remediation. It offers PTS protocol functionality for TPM based attestation of integrity measurements. It also includes some basic prototype IMCs and IMVs and provides a development library to build custom IMCs and IMVs.